00. Cybercriminals Launch a Typosquatting Campaign Impersonate Legitimate 
Cybercrime Researcher Brian Krebs Drop Malware - An Analysis 


We’re recently became aware of a currently active RAT (Remote Access Tool) serving malicious 
software campaign that’s impersonating Brian Krebs in two of its C&C (Command and Control) 
servers and we've decided to take a closer look at the campaign including its domain IP and 
network infrastructure for the purpose of providing actionable intelligence on its infrastructure 
potentially assisting security researchers and OSINT analysts by providing them with the 
necessary information stay on the top of such type of threats. 
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Sample screenshot of the botnet’s C&C infrastructure that using a typostuatted domain 
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Sample screenshot of the botnet’s C&C infrastructure that using a typostuatted domain 


impersonating Brian Krebs 
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Sample screenshot of the botnet’s C&C infrastructure that using a typostuatted domain 
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Sample screenshot of the botnet’s C&C infrastructure that using a typostuatted domain 
impersonating Brian Krebs 


Sample botnet C&C server domains known to have been involved in the campaign: 


hxxp://brian.krebsonsecurity.top 
hxxp://brian-krebs-erectile-dysfunction.com 


Sample malicious MD5s known to have been involved in the campaign: 
9e840be4b4ab358bc3405e2c688f3ab1a9d286bd4fb9edb4468dc688962b4893 
f556c9b4e5bb463be84dead45a9aedcf8bec4 1¢1c2b503ea52719357943750e7 


We'll continue monitoring the campaign using WhoisXML API’s domain and IP reputation 
monitoring system and will post updates as soon as new developments take place. 


